Some questions to ask yourself:
How much change occurs within an hour?
What hardware are the servers running on? Enough RAM, processors, drive
performance...
The more change the greater the requirements of hardware, space for staging
and bandwidth.
Seriously consider a third party.
I had some
Hmmm.. Interesting use of the term "staged" - gonna have to
use that..
Actually, the Westin was the designated hotel for, um,
well, not Exchange.
--
Roger D. Seielstad -
MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc.
Except Deji forgets one important piece of information (which is rare for
him) - VBScript doesn't natively run on Win9x. It requires a separate install of
Windows Scripting Host.
--
Roger D. Seielstad - MTS MCSE
MS-MVP Sr. Systems
Do you all force your XP clients to have the
built-in firewall enabled? Are there any cons (such as some GPs not working) to
having it enabled? The reason I ask is I am having a problem finding the culprit
which is causing some users the inability to edit their "editable" (phone
number,
Is anyone using
Kixtart as a utility along with their logon scripts?
Kelly J.
Jeglum LAN Mgr. Auxiliary Services
University of Wisconsin
Milwaukee
-Original
Message-From: Rick Kingslan
[mailto:[EMAIL PROTECTED]Sent: Monday, April 12, 2004 11:48
PMTo: [EMAIL PROTECTED]Subject:
I'm not using the XP firewall yet, but I'll consider it with SP2 since
it is much better. The built in firewall isn't supposed to interfere
with communications with DC's, I think. Are you getting any specific
error message when users try to edit their attributes? Or do they just
not have
I concur... especially considering the restore time in the event that
replication screws up and critical information is pushed off to a
Staging area, inaccessible to the user.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan
Sent: Monday,
Return Receipt
Your RE: [ActiveDir] Firewall
document
:
Have a look in
c:\windows\pfirewall.log to see what traffic is being dropped by the firewall.
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Douglas M.
LongSent: 13 April 2004 14:32To:
[EMAIL PROTECTED]Subject: [ActiveDir]
Firewall
Do you all force your XP clients to
This is not a firewall issue. The Windows ICF allows all outbound
connections.
Denny
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jimmy Andersson
Sent: Tuesday, April 13, 2004 9:42 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Firewall
I will
The attributes are actually greyed out, and not even editable. I have no
errors in the event log, all of the users that are having the problem (which
i now now is not related to the firewall, due to the fact that I just found
an instance proving otherwise...one more variable out of the way) have
So in summary, I should be able to adprep the forest with no problems if
all DC's are running at least Windows 2000 SP3 and Exchange 2003?
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Salandra,
Justin A.
Sent: Wednesday, April 07, 2004 10:13 AM
To:
Joe(ware) brings up an interesting point. AutoDL has
been recommended for group management for some time. I don't expect that
this is going to be the push going forward, but only because it hasn't been
updated as a reskit item for several years. It works. But it's a
workaround and not a
What can I say? I'm still jet-lagged, I guess :)
Thanks for the pointer.
Sincerely,Dèjì Akómöláfé, MCSE MCSA MCP+I
Microsoft MVP - Active Directorywww.akomolafe.comwww.iyaburo.comDo you now realize that Today is the Tomorrow you were worried about Yesterday? -anon
From: Roger
http://support.microsoft.com/default.aspx?scid=kb;en-us;278875
Salandra, Justin A. [EMAIL PROTECTED]
Sent by: [EMAIL PROTECTED]
04/13/2004 11:02 AM
Please respond to ActiveDir
To:[EMAIL PROTECTED]
cc:
Subject:RE: [ActiveDir] Updating Schema to Windows 2003
So
That's a pretty valid argument to put any access to your network into an
untrusted network segment, isn't it? Remote access, wired access (what
about vendors that jack-in?)etc.
There's some talk about using the reskit stuff to quarantine the network
access. Some of the AP providers offer this
Permissions? What else is different about them? Just because they have the
same GPO's, are they applied as expected to the users affected? Are they in
the same OU's etc?
RSOP might be a worthwhile tool to look at if you suspect the GPO is not
firing correctly but greyed out tabs are usually due
To quote Tony Murray-Smith - "I'm still trying to get used to being
sober"
--
Roger D. Seielstad - MTS MCSE
MS-MVP Sr. Systems
Administrator Inovis Inc.
From: deji Agba [mailto:[EMAIL PROTECTED] Sent:
Tuesday, April
Have you checked out the latest features in the Robocopy that comes w/
Windows 2003 Reskit? Very cool stuff...
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: Tuesday, April 13, 2004 9:51 AM
To: '[EMAIL PROTECTED]'
Subject: RE:
Sober? What's that???
:)
/Jimmy
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Roger
SeielstadSent: Tuesday, April 13, 2004 6:22 PMTo:
[EMAIL PROTECTED]Subject: RE: [ActiveDir] logon
scripts
To quote Tony Murray-Smith - "I'm still trying to get used to being
sober"
Would that work ok on an all Win2000 domain on Win2000 servers?
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Tuesday, April 13, 2004 9:07 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] DFS use question
Have you checked out
Jet-lagged? Did you
take a long detour on the way home? :)
From: deji Agba [mailto:[EMAIL PROTECTED] Sent:
Tuesday, April 13, 2004 11:11 AMTo:
[EMAIL PROTECTED]Subject: RE: [ActiveDir] logon
scripts
What can I say? I'm still jet-lagged, I
guess :)
Thanks for the pointer.
I cant find anything else different. I get the same results for working
and non-working users when I run gpresult. They are in the same OU, and
GPs are applied as expected. I may sound stupid, but where do I set the
attribute permissions for a single user? Isnt that something that I would
have had
We too are using Script logic, but weve
had problems in the past running it over our WAN. That being said our problems
are not typical and are a drawback from our wonderful bridged WAN
and have nothing to do with the product.
I like script logic though, its
very basic and easy to learn
Wed
like to eventually trim down the number of domains and get to an OU-based
administrative model. But in the mean time, we have identified a couple of
people that we want to have domain admin rights in all domains. I know that
making them an enterprise admin allows them domain admin
What about adding them to each domain admins group for each
domain?
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Creamer,
MarkSent: Tuesday, April 13, 2004 4:05 PMTo:
[EMAIL PROTECTED]Subject: [ActiveDir] enterprise-wide
accounts
Wed
like to eventually trim down the
All,
Thanks for the feedback. There's some good information here that will help us
determine the best way to do this. We're going to have an AMER and EMEA domain with
an empty root but want to quickly and easily obtain the photo of any individual for
security purposes. Over 60,000 users.
I
I would say that the link below gives a pretty good reason for not
plugging APs into internal LAN:
http://www.cisco.com/en/US/products/products_security_advisory09186a00802119c8.shtml
Guy
On Tue, 2004-04-13 at 18:12, Mulnick, Al wrote:
That's a pretty valid argument to put any access to your
Robocopy is a program that copies files and as I recall, can be scheduled.
But what if I understand the requirements properly, that's not all you
really need. It sounds like the files get used by users on both sides of
the pond and potentially, what you may really need is a library type
I used a Windows XP client running the GPMC and setup items in a GPO
that are for Windows XP and higher, however it appears that they are not
going into effect. I should not need a 2003 DC running in order to have
these GPO settings take effect right?
Justin A. Salandra, MCSE
Senior Network
Could you use a Universal Group?
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Sent: Tuesday, April 13, 2004 3:16 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] enterprise-wide accounts
What about adding them to each domain admins group for each domain?
If you're using this for security reasons, then the main challenge will not only be
how to get a digital photo of everyone, but also to prove that the jpeg.file you're
receiving to upload into AD is really the person who it's supposed to represent... -
I'm sure that's the most fun part. And
domain admins is a global group and as such you can't add
users from other domains to it. While other global groups can be converted to
universal groups, you can't do so for the domain admins
group.
a solution to your problem is to use the restricted groups
GPO feature (which will not work
Alternatively you can do what we do here. We have a
startup script that runs from a GPO that adds a group to the local
administrators group everytime the machine is started up. The script looks
like this
net localgroup administrators /add
"domain\admins"
Just create a UG for all theadmins
No. GPO's are registry based (At least admin templates), so they should work on XP box
without the need of Windows Server 2003. It is enough if you set them up from XP box
or import them in 2000 DC (adm templates). What policies are we talking about ? Run
gpresult /v to get verbose information
Use restricted groups GPO settingon member servers
and prescribe the membership in local Admin groups from other
domains.
Regards
Matjaz Ladava
MVP Windows server - Directory
Services
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Depp, Dennis
M.Sent:
Is there anything weird about applying a Restricted Groups GPO to a Windows
2003 server? For some reason, none of our Win2k3 servers in our Win2k AD
domain are getting the local administrators group restricted groups GPO
applied that all of our other machines are successfully getting. Any
won't Restricted groups remove any groups that are in
the administrators group
now except for the ones you
specify?
not if you have Win2k
SP4 or Win2k3 and use the "MemberOf" option of the restricted
groups.
/Guido
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mike
In my test lab I was doing a test
migration from Exchange 5.5 to Exchange 2k. I had a machine setup with the
ADC to move the 5.5 information into the directory. I came in the morning
and the HD was dead on my ADC machine.Now the machine is dead but the
computer account is still in the
You will need to delete the computer object with ADUC
(DSA.MSC) and the server object in sites and services with DSSITE.MSC, removing
one will not impact the other. Alternatively you can use adsiedit to remove both
or use a script.
-
http://www.joeware.net (download joeware)
Mike, the functionality recently changed, that was a
subject of a conversation on this list. Many of us were quite happily surprised
to learn of the change.
-
http://www.joeware.net (download joeware)
http://www.cafeshops.com/joewarenet (wear joeware)
From: [EMAIL
You can notadd (haven't tried to hack this, probably
is hard coded functionality) foreignusers to the domain admin
groupof adomain, they must exist in the same domain - domain admins
is a global group, standard rules apply. The best would be administrators group
membershipwhich, unlike NT4,
There is a killer TZ issue going south of Seattle
If that isn't a funny enough response try
Deji, you mispelled drunk.
:o)
"Its rather unpleasantly like being drunk"
"What's wrong with being drunk?"
"Ask a glass of water" [1]
joe
[1] Lifted from Hitchhikers Guide to the Galaxy.
Yes, definitely not a firewall, I just wanted to pipe up with that to feel
useful...
This is permissions in AD. Since those permissions are set on the default SD
in the schema for user objects, someone/thing cleared the self ACE for WP
Personal Information...
If I were a gambling man... I would
Heh. Which comment should I make which comment should I make which
comment... =)
Err. Hmmm. Blech.
You can help this out usually by making sure that you have a specific
Exchange Site for your Exchange Servers, place the DC/GCs into that site
that you want Exchange to use. I.E. Keep the
Don't be so certain. Not all traffic is, by default, let out. Check that
with some third party tools that use 1024 ports. Effective in killing off
the DDoS Zombie issues.
Rick Kingslan MCSE, MCSA, MCT, CISSP
Microsoft MVP:
Windows Server / Directory Services
Windows Server / Rights
bizarre..
;oP
-rtk
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jimmy
AnderssonSent: Tuesday, April 13, 2004 11:41 AMTo:
[EMAIL PROTECTED]Subject: RE: [ActiveDir] logon
scripts
Sober? What's that???
:)
/Jimmy
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
Just a quick correction, they weren't replication issues before, they were
resolution issues. Your AD replication wouldn't have been impacted by having
a global group but your resolution of the lists would be on Exchange
depending on what GC they hit for the resolution process.
The replication
Yes, you should be able to adprep the forest with no problems if all DCs are
running at least Windows 2000 SP3. Exchange 2003 isn't required.
There is one KB that I think was mentioned that you need to keep an eye out
which involves mangling a couple of class names. If it happens, it is an
easy
sorry for what is more of a personal advice question- i'm a perl guy and i was
wondering if for proper windows scripting, should i learn VBscript or can i get away
with most admining with perl and activestate.
i run a couple of linux and unix servers, so perl makes sense, but would it behove me
I say Perl...
The activestate dist is great. I am not aware of anything off the top of my
head you can do in vbscript that you can't do in perl. You may want to learn
enough vbscript to convert vbscripts others have written to perl.
Overall for really simple things vbscript may be easier at
51 matches
Mail list logo
